Netsweeper 4.0.8 (and probably other versions) allows an authenticated user with admin privileges on the Cloud Manager web console, to upload arbitrary PHP code (eg PHP shell) and further execute it. To replicate the bug, pipe the following request while being authenticated using admin privileges: http://netsweeper/webadmin/ajaxfilemanager/ajaxfilemanager.php From the response page you can upload any GIF-lookalike php shell (remember to use basic evasion technique for file to upload successfully, hint: filename="secuid0.php.gif" with gif like header and php shell following) Then, access your shell from: https://netsweeper/webadmin/deny/images/secuid0.php.gif and profit.
An non-authenticated is able to provision new user accounts (and also create new policies under the same name as the newly created user accounts) by using the URL Path: http:/netsweeper:8080/webadmin/nslam/index.php?username=secuid0&password=secuid0&ip=127.0.0.1&theme=Global%20Web%20Admin%20Theme&groupname=
Netsweeper 4.0.9 (and probably other versions) allows an authenticated user with admin privileges, to upload arbitrary PHP code (eg PHP shell) and further execute it with root rights. To replicate the bug, an attacker must login as admin at https://<netsweeper>/webadmin, go to System Tools | System Configuration, select 'Routes Advertising Service' then Add new Peer, and add the IP address of the Netsweeper server. The attacker must then copy and paste a malicious bash script into the 'File Template' field, set the 'Config file' field to '/tmp/secuid0.sh' and the 'Service Restart Command' field to '/bin/bash /tmp/secuid0.sh'. The attacker must then set up a netcat listener on port 1234 and click 'Save'. Once the malicious bash script is submitted, it will be executed with root privileges.
An unauthenticated user is able to remove from quarantine any IP address on Netsweeeper 4.0.8 (and probably other versions). URL Path: http://netsweeper/webadmin/user/quarantine_disable.php?ip=127.0.0.1
By adding two single-quotes in an specific HTTP request, it forces Netsweeeper 4.0.8 (and probably other versions) to authenticate us as admin. The access gives us the ability to: i) "Back Up the System" which creates a downloadable system backup tarball file (containing the whole /etc /usr and /var folders); ii) "Restart" the server; iii) "Stop the filters on the server".
Once specific parameter in Netsweeper 3.0.6, 4.0.3 and 4.0.4 (and probably other versions) was identified being vulnerable to SQL injection attacks. Condition: The exploitation can be performed by any non-authenticated user with access to the vulnerable pages (usually from everyone). Vulnerable Page: http://netsweeper:8080/remotereporter/load_logfiles.php?server=<SQLi>&url=a Vulnerable GET Parameter: server
Two specific parameters in two pages of Netsweeper Content Filtering solution v2.6.29.8 (and probable earlier versions) are vulnerable to SQL injection. Condition: The exploitation can be performed by any non-authenticated user with access to the vulnerable pages (usually from everyone). Vulnerable Page I: http://netsweeper/webadmin/auth/verification.php Vulnerable POST Parameter: login Vulnerability Type: SQL Injection [SQLi-II] Vulnerable Page II: http://netsweeper/webadmin/deny/index.php Vulnerable POST Parameter: dpid
The crash is caused by a 1 bit delta from the original file at offset 0xA9B0. Standard tools did not identify anything significant about this offset in the minimized file. The crash is observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug also reproduced in Office 2010 running on Windows 7 x86.
A Windows kernel crash was encountered in the ATMFD.DLL OpenType driver while processing corrupted OTF font files. The crash was caused by an out-of-bounds read in the ATMFD+2a902 address. The crash was triggered when more than N bytes were being referenced, which cannot be protected by try-except.
We have encountered a Windows kernel crash in the ATMFD.DLL OpenType driver while processing a corrupted OTF font file. The crash was caused by a PAGE_FAULT_IN_NONPAGED_AREA (50) error, which occurs when invalid system memory is referenced. The address referenced was ff67a024, and the instruction address which referenced the bad memory address was 98b54072. The module name was ATMFD.DLL, and the process name was csrss.exe.
Services By CQR